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Abstract 



We consider the problem of recovering a hidden monic polynomial 
a I f{X) of degree d > 1 over a finite field ¥p of p elements given a 

black box which, for any x S Fp, evaluates the quadratic character of 
f{x). We design a classical algorithm of complexity 0{(f'p'^^'^) and 
also show that the quantum query complexity of this problem is 0{d). 
Some of our results extend those of Wim van Dam, Sean Hallgren and 
Lawrence Ip obtained in the case of a linear polynomial f{X) = X + s 
(with unknown s); some are new even in this case. 
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1 Introduction 



Let p > 3 be a prime number and let Fp denote a finite field of p elements. We 
let X denote the quadratic character of Fp, or the Legendre symbol modulo 
p; see |]17|. 

Wim van Dam, Sean Hallgren and Lawrence Ip, in the series of papers 0, 
^ Q have considered the shifted Legendre symbol problem of finding an 
unknown shift s G Fp given an oracle O which for each x G Fp computes 
x{x + s). They have designed efficient quantum algorithms for the above 
problem and its generalisation to characters in residue rings. 

The problem is of intrinsic interest and also has strong cryptographic 
motivation; sequences of values of quadratic characters have been considered 
as sources of cryptographically strong pseudorandom bits @, |^, ^ |13|, [l^. 

Here we consider a generalisation of the above problem to polynomials. 

For an integer d we let Aid denote the set of square- free monic polynomials 
f{X) G Fp[X] of degree d, 

Md = {f{X) = X'' + Sd-iX"-^ + . . . + + So I G Fp} . 

We study the problem of finding / G M.di given an oracle Of which returns 
x{f{x)) for any x G Fp: 

It is obvious that the square-freeness condition is essential because polyno- 
mials of the form fi{X) = F{X)Gi{Xf and fi{X) = F{X)G2{XY with 
F{X),Gi{X),G2{X) G Fp[X] cannot be distinguished by this oracle. 

We remark that for the approach of |^, |^, the orthogonality condi- 



tion 



J2xiix + a){x + b)) = I ^' a,6GFp, 

appears to be crucial, however, this condition fails for nonlinear polynomials. 
On the other hand, the Weil bound, see [0, provides a certain approximate 
analogue of the above identity: 

E X {9{x)h{x)) = I ol^vijl^' 11 ^ ^ 9, he Md. (1) 
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Hereafter the implied constants in symbols 'O' may depend on d and also, 
where obvious, on the small positive parameter e. 

Using this property we demonstrate that the quantum query complexity 
of recovering /, given the oracle Of, is 0{d). In contrast, we observe that 
the classical query complexity is Q{dlogp). Furthermore, we give a classical 
algorithm for reconstructing / from Of, which appears to be new even in the 
case of linear polynomials. In fact this algorithm is also based on the Weil 
bound. 

It is clear that the brute force approach leads to a (classical) algorithm 
of complexity 0{p'^~^^^'^) which is based on computation and comparison of 
the p-dimensional vectors of the values of xifi^)) and x{9{^)) ^oi all x E¥p 
and all g G Aid- A naive use of the Weil bound shows that it is enough 
to compute and compare xifi^)) and only for 1 < x < dp^^^log^p 

which leads to an algorithm of complexity 0{p'^^^^'^^^). We show that using 
the Weil bound in a less obvious way one can obtain an 0{p'^^'^) algorithm. 

It could be relevant to recall the work of Dima Grigoriev [|1^ where a 



somewhat related question is considered for multivariate polynomials (al- 
though the field characteristic is assumed to be small). 

It is easy to see that our method applies to multiplicative characters of 
other orders and to multivariate polynomials as well. 

Finally, it is also easy to see that we can allow oracles which return the 
right value of xifi^)) only with some fixed probability 7 > 1/2. We do not 
pursue this issue in this work, though. 

Acknowledgement. We thank Asma Harcharras for several useful 
discussions. 



2 Preparation 

First of all we recall the Weil bound in its classical form given in Exam- 



ple 12 of Appendix 5 of [24]; see also Theorem 3 of Chapter 6 in [16| and 



Theorem 5.41 and comments to Chapter 5 of P7[ . 

Lemma 1. For any F E Aid which is not a perfect square of another poly- 
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nomial, the hound 



holds. 



The following statement is also implied by the Weil bound and is essen- 



tially Theorem 2 of |]T9 



Lemma 2. For any integers M < p and any F G Aid which is not a perfect 
square of another polynomial, the bound 



M 



x=l 



O [dp^'^ logp) 



holds. 



We also need a similar statement for multivariate polynomials. 
Lemma 3. For any collection of £ pairwise distinct linear forms 
Ly (5'o, . . . , Sd-^i) = 5*0 + SiCii, + . . . + Sd-iCd-i,u + Cd^u-, z/ = 1, . 



5 • • • ) 5 



over ¥p the hound 



x\\\Lu{sQ,...,Sd-i] 

3,...,Sd_igFp \v=l 



holds. 



Proof. We have 



XI xlYlLyiso,...,Sd^i] 



si,...,Sd_iGFp 



X X I YlLy{so,...,Sd-i] 

soeFp \u=i 
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Clearly, there are at most 

d — 1-tuples (si . . . , Sd-i) G Fp for which the values of 

SiCii, + . . . + Sd-lCd-l,u + Cd,u, P =1 



5 • • • 5 ^5 



are pairwise distinct. In this case we estimate the sum over sq by p. Otherwise 
we see from Lemma |l]that the sum over sq does not exceed ^p^^'^. Therefore 



SQ,...,Si_l&p \u=l 



< 



-1/2 



The claimed bound is trivial for ^ > p^^"^, otherwise we have ip"^ ^1"^ > £2p'^ ^ 
and the result follows. □ 

We remark that one can also use stronger bounds based on the famous 
results of Pierre Deligne however they do improve our final results. 

Our next statement gives an upper bound "on average" for weighted 
character sums with polynomials. 

Lemma 4. For any integers N < p, r > 1 and any sequence of real numbers 
ax with \ax\ < 1, x = 1, . . . , N , the bound 

2r 



E 

holds. 

Proof. We have 



E 



xeWp 



2r 



2r 

g&Md X\,...,X2r&p « = 1 

2r / 2r 

Y n«-'» Y x\T{9{xi 

X-i,...,X2r&p 4 = 1 g&Md \i = l 



E 

Xi,...,X2r&p 



2r 



Y ^ I n^'^^^ 

geMd \«=i 



Assume that xi, . . . , X2r G [1, A^] contains m pairs of equal elements 

•^iv ~ -^jv -I u = 1, . . . , m, 
and / = 2r — 2m pairwise distinct elements y^, = x^^, u = 1, . . . ,m. Then 

geMd \i=l / 9&Md \iy=l 1 

If / = 0, which happens for at most 

\r ) r! 

2r-tuples (xi, . . . , X2r) € [1, A^]^*", then the sum over g is obviously equal to 
\M.d\ = p'^. For / > we derive 

geMd \u=l / so,--;Sd-i \u=l / 

It is easy to verify that because yi, . . . ,yi are pairwise distinct elements of 
Fp the linear forms 

5'o + Siy^ + ... + Sd-wt'^ + yt^ u=l,...,m, 

satisfy the conditions of Lemma ^. Thus for at most A^^^ remaining 2r-tuples 
(xi, . . . , X2r) G [1, A^]^'' the sum over g is at most 2lp'^~^/'^ < Arp'^~^/'^ □ 

We recall that, using the Horner scheme, for any g G M.d the value of 
g{x) can be computed with 0{d) arithmetic operations modulo p. We also 
recall that polynomial evaluation and computing the quadratic character can 
be done in polynomial time in the standard RAM model of computation. 
Explicit and efficient versions of these statements can be found in [|l], |ll] . 



3 Classical Algorithm 

Here we design an algorithm for the classical model of computation on a RAM 
computer. The complexity of our algorithm can be improved slightly if one 
uses fast algorithms for finite field arithmetic and polynomial evaluation, 
see |Tl| . In particular, one can replace p^ by a reasonably small power of 
logp and also improve the term (P in our estimate. 
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Theorem 5. For any fixed e > and d > 1, given an oracle Of one can 
find f G Aid in O {d?p'^^^^ binary operations. 

Proof. Obviously we can assume that p is sufficiently large. Put M = 
\dp^/'^\o^ p~\ and = [dlog^p]. 

Using the square-freeness condition we conclude that for any g G Aid 
with g ^ f the polynomial gf is not a prefect square. Thus from Lemma 
we see that in this case 

M 



J2x{9{x)f{x)) = 0{M/\ogp) 



x=l 



while for g = f this sum is at least M — d. Using the Horner scheme, for 
any any g G Aid the value of g{x) can be computed with 0{d) arithmetic 
operations modulo p. Thus for any polynomial g G Aid the above sum can 
be evaluated and the identity g = f can be verified in ©(c/^p^/^"*"^) binary 
operations. We now show that in fact for all, except at most 0{p'^~^^^\ogp) 
polynomials g G Aid one can verify the identity g = f in 0{dN \og^ p) binary 
operations. It is enough to show that that the inequality 



N 



x=l 



>N-d (2) 



is possible for at most 0(p°'~^/^ logp) polynomials g G Aid. Using Lemma ^ 
with = xifi^))^ we see that the number T of polynomials g G Aid 
with (^, for any integer r > 1, satisfies the inequality 

T(N - df < ArN^'p"^-^/^ + ^A^y . 

Let r = [log pI . We have 

(A^ - df'' > N^''{1 - d/Nf > N^''/2 
for sufficiently large p. Therefore 

T < 8^-1/2 + 2^^A^-y < 8y-^/2 ^ 2(2r)"A^~y . 



T: 



Taking into account that (2r)''A^-'' = (2r/A^)-'' < p'^/"^ for our choice of 
and r, and sufficiently large p, we obtain the desired statement. □ 
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4 Quantum Query Complexity 



As above, we consider the problem of recovering a polynomial / from an 
oracle Of : x i— > An easy counting argument shows that the classical 

query complexity is VL{d\ogp) (it is in fact Q{d\ogp)): see, for example, van 
Dam's article [Q, for an analogous argument. We begin by showing that 
the quantum query complexity of this problem is at most 0{d). We refer 
the reader to accounts by Nielson and Chuang [20| and Kitaev |]15| for a 



discussion of quantum computation and quantum algorithms. In particular, 
we need the notion of positive operator valued measurement (POVM) (see. 



e.g., for a discussion which matches our notation below). 

Recall that a POVM P on Hilbert space 7i is a set A and a family 
{da I CL € A} of positive semidefinite operators on Ti with the property that 



aeA 

where l denotes the identity operator. The result of the measurement P 
on the state ^ & 7i \s the probability distribution on A where a G ^ is 
observed with probability {'&a^^ Note that {'dj^^ ^) > 0, as 'd^ is positive 
semidefinite, and that 

aeA \aeA I 

Note, also, that in the special case when da = 7vr for a projection vr and a 
scalar 7 e [0, 1], {^a"^, (P') = 7 ||vr!P'||^ 

Theorem 6. Let f he a polynomial in Aid.. If d < p^/^^^ for some fixed 
£ > then there exists a quantum algorithm which, after 0{d) quantum 
queries toOj, produces a state for which there is a POVM that determines 
f with probability at least 1 + 0{p^^). 

Proof. Let us put k = \2{d+ For a prime p, let Q denote a p- 

dimensional Hilbert space with an orthonormal basis {\z) \ 2; G Zp}. Ini- 
tially, by applying the Fourier transform to a delta state, we arrive at the 
uniform superposition 
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which is used to query the oracle Of. Let x : Fj, — > {±1} be the function 



X(x) if x 7^ 0, 
1 if X = 0. 



We can certainly assume that in fact we are given an oracle Of with Of{x) = 
x(/(x)). Then the result of the query may be computed into the phases by 
controlled phase shift yielding the state 



X) . 



x&Fp 



Repeating the process independently k > 1 times yields the tensor product 
state 




where x = {xi, . . . , Xk), 



and |x) = ® • • • (g) \xk)- In general, we let ]Pg k denote the state that 
would have arisen at this point had we started with the polynomial g G Aid- 
Observe that for g e Ada, {^g,k, ^g,k) = 1 and, furthermore, that for distinct 
g,he Md, 



Yl Hx{9{xi))x{h{xi)) 



1 



J2 xigWiK^)) 

zeVp 



To bound this, we focus on the inner quantity 



a2d = max 

9,h&Md 
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For a polynomial g G Fp[X], let V{g) = {x G Fp | g{x) = 0}. Recall 
that V{gh) = V{g) U V{h) and that for a nonzero univariate polynomial g, 
\V{g)\ < deg{g). Considering that x{f{x)) = xifi^)) for x ^ V(/), we 
bound a2d as follows: 



a2d = max 
gMMd 



< max 

g^h 



E x{g{z))x{Kz))+ J2 x{g{z)mKz)) 



z£¥p\V{gh) 



< max 

g,heMd 
g^h 



z&p\V{gh) 



zeV{gh) 



\V{gh)\ 



+ 2d. 



Note now that for two distinct elements g,h & JUd, the product gh cannot 
be a perfect square and from Lemma ffl we conclude that 



a2d < max 
g&M2d 



+ 2d< dp^/^ + 2d< 2dp^ 



/2 



(3) 



provided that p > 3 (otherwise the result is trivial). Hence for distinct 
g,h E Aid we have 

mM^H,k)\<a'2dP-''- (4) 

Now we show that there is a POVM that identifies the polynomial / with 
probability 1 + 0{p^^). For each g G Aid, let TVg^k be the projection operator 
onto the subspace spanned by ^g k- As each vr^ ^ is a projection operator, 
it is positive semidefinite, and we now show that for some < a < 1 with 
a = 1 + 0{p~^), there is a decomposition of the identity operator l of the 
form 

i = p + E ^'^g,k 
geMd 

where p and all iTg^k are positive semidefinite operators on Q'^^. Note that if 
iP'y^fc is measured according to this POVM, the "correct" index /, k is observed 
with probability a. 
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So define p — t — Ylig&Ma '^'^9,k'i wish to select a = l + 0{p ^) to insure 
that p is positive semidefinite. It suffices to see that for our choice of a 

Yl ^^9,k < 1, (5) 
geMd 

where ||M|| denotes the operator norm of M, given by 

IIMII^sup^. 
this supremum taken over all nonzero vectors Note that for a unit vector 

geMd geMd 

Let J^a be a Hilbert space of dimension \Aid\ with orthonormal basis 
{Bg I g e A^d} and let r : ^"^'^ be the linear operator 

here B* : ^ C is the linear functional B* : i-^ B^) . Then 

tt\<^) = Y ^g^ii^hnm = Y ^^^i^^) = Y 

g,heMd g&Md g&Md 

SO that Ylig'^g,k — TT*', recalling that ||r*||^ = II''"''*!!) suffices to suitably 
upper bound !|t*||. So let e Q'^'' be an element in the span of {^g,k \ g £ 
M-d} and let F = Ylg Ig^g ^ satisfy T(r) = which is to say that 

Y ^a'^a^k- 
geMd 

Observe that 

2 



1^1 



Y ^a^9,k 
a&Md 



= Y 'yg'y*h{^g,k,^h,k) 

g,h<^Md 

^eMd \^ \geMd / 

iril' + o (/ liril^)) = (1 + o (/-vy) iirii^ , 



(6) 
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by the Cauchy-Schwarz inequality. With ^ expressed in this way, we expand 
\\t*^\\ as follows: 



2 



(7) 



Recalhng the inner product bounds of (H), for any 5^ G A^d we must have 



heMd 



<4,v-' E l7/.l<^2W7lir| 



(8) 



again by the Cauchy-Schwarz inequality. Finally, considering that ||a + /?|| < 
1 1 a 1 1 + 11/9 II, we conclude from and (H) that 

||r*^|| < iirii +p'^-V2^,||r|| = iirii 

and, from (H), that 

||r*<?||<(l+0(/-V2^,))||^>||. 

Hence 

E^r,,, <i+o(p^-va. 

We can assume that p > 2^/^ and hence that 2 < p^/^, because otherwise the 
result is trivial. Then by we have 

p'^-^ala < {2dp'/^Y < /-^p(i-^/2)fc = pd-ke/2 < p-i^ 
because of our choice of k. We obtain 



<l+0(p-i). 



and are guaranteed that holds (provided that p is large enough) for some 
a = 1 + 0{p-^) (recall that (1 + S)'^ = 1 + 0{5)). Thus the above POVM 
determines / with probability a = 1 + 0{p~^). □ 
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